1. Field of the Invention
The invention relates generally to the field of securing stored digital data from access by unauthorized users.
The invention relates more specifically to the problem of providing password-based, secured file access to users who work on any one of a plurality of computers.
The invention relates even more particularly to the problem of providing user log-in records (passport records) and allowing the same to be securely used across a plurality of computer workstations for user authentication and for other user-specific needs.
2a. Cross Reference to Copending Applications
The following copending U.S. patent application(s) is/are assigned to the assignee of the present application, and its/their disclosures is/are incorporated herein by reference:
(A) Ser. No. 08/643,742 filed May 6, 1996 now U.S. Pat. No. 5,768,373 by S. Lohstroh et al and entitled, A METHOD FOR PROVIDING A SECURE NON-REUSABLE ONE-TIME PASSWORD; PA1 (B) Ser. No. 08/642,217 filed May 6, 1996 by S. Lohstroh et al and entitled, CRYPTOGRAPHIC FILE LABELING SYSTEM FOR SUPPORTING SECURED ACCESS BY MULTIPLE USERS; and PA1 (C) Ser. No. 08/586,511 filed Jan. 16, 1996 U.S. Pat. No. 5,699,428 by W. McDonnal et al and entitled, SYSTEM FOR AUTOMATIC DECRYPTION OF FILE DATA ON A PER-USE BASIS AND AUTOMATIC RE-ENCRYPTION WITHIN CONTEXT OF MULTITHREADED OPERATING SYSTEM UNDER WHICH APPLICATIONS RUN IN REAL TIME.
3. Description of the Related Art
As knowledge of computers proliferates throughout society; and as use of computers and of digital data also spreads, the threat grows that unauthorized persons will gain useful (intelligent) access to confidential, digitized information.
As such, it is advisable to take security measures to limit the number of persons who can intelligibly access various stored or transmitted forms of digital data. It is sometimes further advisable to limit the physical locations from which such intelligent access can take place.
A wide variety of materials may be stored or transmitted in the form of digitized signals. By way of example, proprietary digital data may represent financial and engineering documents of a start-up engineering company. The latter documents may be nonvolatily stored as encrypted digital data in the company's central database computer or they may be similarly stored repeatedly across a plurality of networked workstations or even among non-networked portable computers or even further among portable media devices such as floppy diskettes that are carried about by company workers from place to place.
The company may wish to have certain of its proprietary documents kept more confidential than others. More specifically, the company may want to restrict intelligible access to some stored documents such that only very specific groups of people can do so and perhaps only when those people are accessing the information from very specific locations.
At the same time, the company may wish to permit other stored documents to be intelligibly accessible to any company worker from any location while blocking the general public from having similar access.
The company may further desire to have a wide variety of other security options picked out from a spectrum that has at one end, only one specifically authorized person accessing a certain piece of information through only one specific machine, and which spectrum has at an opposed end, all authorized persons being able to intelligibly access a all pieces of information through any machine located anywhere.
As a more concrete example, the company may possess critical financial records and may wish to limit intelligible access to these records to certain, high level officers of the company provided further that these people log-in through any of a limited number of specific machines located in certain specially-secured offices of the company's.
At the same time, the company may have an ongoing engineering program that a select group of engineers are to be allowed access to by means of logging-in from any workstation they happen to be on. For example, a remotely located, company engineer may need to quickly access, by way of communications carried over a local area or a wide area or another communications network (LAN or WAN or Internet), a particular, confidential engineering file that is needed for a rush engineering job.
The security of the so-requested information needs to be safeguarded while it is in-transit. This can be done by transmitting an encrypted copy of the requested file over the communications network. The transmitted copy has to be decrypted at the receiving end to make its information intelligible.
However, before intelligible access is granted at the receiving end, the local computer on which the alleged requester is working, should verify that the requester is indeed whom he or she claims to be rather than a spoofer.
The local computer will typically display a demand for a user identification (e.g., the user's publicly-known name such as `John E. Doe` or his initials `JED`) and for a user-memorized password (which password should be known only to the user).
If the requester fails to authenticate his or her identity with a valid identification and matching password, access should be denied.
Often times, the memorized password and user ID are not enough by themselves to provide a desired level of security. After all, the user's identification (his or her name) is known to too many people and thus does not act as a significant safeguard.
The user's password can be compromised through trickery or inadvertence. For example, a first user may trust a `friend` and reveal the password to the friend over the telephone because the friend legitimately needs a particular file. The friend may write the password and the first user's name on a slip of paper so as not to forget. The same friend may later neglectfully drop the paper in a trash bin or other unsecured area where it is acquired by a third person. That third person can then try to penetrate the secured system from any of a large number of portals using the so-compromised password and first user's identification.
In some systems, the physical location of the log-in portal is used as an additional safeguard to reduce the risk of compromise from scenarios such the one above. Each authorized user is asked to remember a different password for each of plural computer terminals or workstations that the user will work from. If an unauthorized third party gets a hold of one of the many passwords, that third party still has to determine through trial and error which machine will accept the password and matching user's name. This may take significant time and expose the third party to risk of being detected as he or she tries to log-in into the various different machines.
As additional security, some of the differently-located machines may not be permitted to receive or decipher all of the company's encrypted files. This helps to decrease the amount of possibly compromised data in the event that the third party successfully determines which machine will accept a compromised password and matching user's name.
Such dependence on different passwords for different machines is an annoyance however.
Few people want to remember a large number of unique passwords each for a different machine, unless of coarse, there is a very powerful reason for doing so. Authorized users generally want to be able to roam freely from one workstation to another, and to be able to enjoy quick and easy access to all the information they have authorization for with a single password.
However there is still the danger that the single password of a particular user may leak out inadvertently or through trickery.
If each user wants to rely on just a single, personal password, it is prudent to have one or more additional layers of security.
One such further layer of security is that of requiring authorized users to present a computer-readable identification badge or card (such as a smart card or a magnetic strip card) to the computer at the time of log-in. The computer-readable identification badge should carry a password-word related, long digital key, where the latter key is too long to memorize and ties somehow to the password.
Physical possession of the computer-readable identification badge can be deemed as additional proof that the user is whom he or she claims to be rather than an imposter.
There are problems with the badge approach however. A first problem is the inconvenience of having to physically carry the computer-readable identification badge about. A second problem is the possibility of losing it. If the badge is lost, the user is not only blocked from immediately logging-in but is also blocked from immediately changing his or her password when he or she realizes the badge is lost. This creates a window of opportunity for an unauthorized third party to acquire the old password and the lost badge, and break into the system.
A user should be able to change his or her password at any authorized workstation at any time as desired. Such user-initiated, arbitrary change of the password at any time and any authorized place is a generally desirable thing because it reduces the likelihood of security breaches. Such arbitrary change of password may even be deemed necessary in instances where the user suspects that his/her prior password and identification badge have been compromised.
It would be advantageous to have a secure system that is simple and convenient to use, and in addition is flexible.
The above-mentioned, flexible characteristic implies that each authorized user will be allowed to utilize one or more user-specified passwords to access data either on all or a specified subset of plural machines as that user or a system administrator see fit for the given circumstances. The flexibility characteristic further implies that each authorized user will be able to arbitrarily change his or her password at any time and authorized place either for a specified single machine or for all machines or for a unique subset of machines as seen fit for the specific circumstances.
The above-mentioned convenience characteristic implies that password-associated authorizing codes (such as the long digital key mentioned above) can be moved around in a confidential and effortless manner despite their use over a plurality of machines, without requiring a physical identification badge.